£4,000 bug bounty could have saved BA from record ICO fine

The £183.39m fine handed down by the Information Commissioner’s Office (ICO) to British Airways as a result of its August 2018 data breach could have been completely avoided if the airline had identified vulnerabilities in its system through responsible hacking or bug bounty programmes, according to security testing firm HackerOne.

HackerOne looked at four of the largest UK data breaches of recent years – BA, Carphone Warehouse, TicketMaster and TalkTalk – to draw its conclusions. It found that, based on the current market rates for bug bounty programmes, the four victims could have avoided fines totalling £265.4m for as little as £9,600 paid out in bounties.

TicketMaster, which, like BA, was hacked through a third-party JavaScript vulnerability, could have got away with paying between £4,000 and £8,000 instead of £5m. Carphone Warehouse’s out-of-date WordPress interface could have been an £81 fix as opposed to the £400,000 it ended up costing. TalkTalk, which fell victim to a SQL injection, could have paid between £1,600 and £8,000, but ended up on the hook for £77m.

“Attack surfaces are growing all the time, and it’s a significant challenge just trying to stay ahead of cyber criminals,” said Prash Somaiya, security engineer at HackerOne. “The most secure organisations realise there are many ways to identify where they are most vulnerable.

“By running bug bounty programmes and asking hackers to find their weak spots, our customers have safely resolved over 120,000 vulnerabilities before a breach could occur. This research is a rough estimate on bounty prices, based on our existing programmes across the same industries, but it does highlight that companies can save millions and reduce risk by being proactive when it comes to identifying and patching their vulnerabilities.”

Bug bounty programmes are designed to incentivise hackers to hunt for vulnerabilities and report them to organisations before they can be exploited by cyber criminals.

They are an established part of the cyber security threat mitigation landscape, and there are several reasons for their popularity, including access to wider, external talent pools and more diverse thinking, which helps businesses to spot problems that their internal security teams have missed.

HackerOne’s most recent Hacker Powered Security report revealed that when new bug bounty programmes are launched, the first valid vulnerabilities are reported within 24 hours in more than three-quarters of cases. Such schemes can represent big money for the hacking community, too. Earlier in 2019, the UK’s first ethical hacker to have made more than $1m from bug bounty programmes was named as Mark Litchfield, a US-based but Scotland-born hacker who originally failed his computing A-level.

However, as pointed out by Atlassian CISO Adrian Ludwig in a recent Computer Weekly interview, it is important not to consider bug bounty programmes as a silver bullet, but rather as an element of a cohesive strategy.

Badly implemented bug bounty programmes can result in development teams becoming overwhelmed by notifications, making them more likely to miss crucial vulnerabilities.